Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 15:00
Static task
static1
Behavioral task
behavioral1
Sample
e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe
-
Size
512KB
-
MD5
e2cc01f9e278119400e4894f1c7262fa
-
SHA1
829942f7749fe8058d082ad3fc711182ca0cefca
-
SHA256
c3adf3a04f27b2dab14b14b4849ff6f6562af277b2f2592770717489ab7e806a
-
SHA512
164b351c73a58dfa99586663966023602e4e6d641a998839e9cc5e4552c139b0aa122d1e64f071598c51f82e24882447dbb160cf002da236cc23ce88a655945b
-
SSDEEP
6144:1VY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bcodj67:1gDhdkq5BCoC5LfWSLTUQpr2Zu19Qm54
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" zheddmnpad.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zheddmnpad.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zheddmnpad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zheddmnpad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zheddmnpad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zheddmnpad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zheddmnpad.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" zheddmnpad.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe -
Executes dropped EXE 5 IoCs
pid Process 4556 zheddmnpad.exe 3740 ccmphxjnuqxskhb.exe 2056 ozvmxwbq.exe 4928 yazcwdejvqjhg.exe 4496 ozvmxwbq.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirstRunDisabled = "1" zheddmnpad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" zheddmnpad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" zheddmnpad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" zheddmnpad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" zheddmnpad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" zheddmnpad.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\numzzpch = "zheddmnpad.exe" ccmphxjnuqxskhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rbszytsq = "ccmphxjnuqxskhb.exe" ccmphxjnuqxskhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "yazcwdejvqjhg.exe" ccmphxjnuqxskhb.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\a: ozvmxwbq.exe File opened (read-only) \??\m: zheddmnpad.exe File opened (read-only) \??\s: ozvmxwbq.exe File opened (read-only) \??\m: ozvmxwbq.exe File opened (read-only) \??\q: ozvmxwbq.exe File opened (read-only) \??\z: ozvmxwbq.exe File opened (read-only) \??\y: ozvmxwbq.exe File opened (read-only) \??\e: ozvmxwbq.exe File opened (read-only) \??\b: ozvmxwbq.exe File opened (read-only) \??\j: ozvmxwbq.exe File opened (read-only) \??\a: ozvmxwbq.exe File opened (read-only) \??\o: ozvmxwbq.exe File opened (read-only) \??\l: ozvmxwbq.exe File opened (read-only) \??\x: ozvmxwbq.exe File opened (read-only) \??\p: zheddmnpad.exe File opened (read-only) \??\x: ozvmxwbq.exe File opened (read-only) \??\s: zheddmnpad.exe File opened (read-only) \??\g: ozvmxwbq.exe File opened (read-only) \??\i: ozvmxwbq.exe File opened (read-only) \??\z: ozvmxwbq.exe File opened (read-only) \??\e: zheddmnpad.exe File opened (read-only) \??\n: zheddmnpad.exe File opened (read-only) \??\p: ozvmxwbq.exe File opened (read-only) \??\u: ozvmxwbq.exe File opened (read-only) \??\n: ozvmxwbq.exe File opened (read-only) \??\u: ozvmxwbq.exe File opened (read-only) \??\v: ozvmxwbq.exe File opened (read-only) \??\j: zheddmnpad.exe File opened (read-only) \??\y: zheddmnpad.exe File opened (read-only) \??\h: ozvmxwbq.exe File opened (read-only) \??\k: ozvmxwbq.exe File opened (read-only) \??\t: ozvmxwbq.exe File opened (read-only) \??\w: zheddmnpad.exe File opened (read-only) \??\n: ozvmxwbq.exe File opened (read-only) \??\w: ozvmxwbq.exe File opened (read-only) \??\v: zheddmnpad.exe File opened (read-only) \??\s: ozvmxwbq.exe File opened (read-only) \??\e: ozvmxwbq.exe File opened (read-only) \??\q: ozvmxwbq.exe File opened (read-only) \??\g: ozvmxwbq.exe File opened (read-only) \??\l: ozvmxwbq.exe File opened (read-only) \??\m: ozvmxwbq.exe File opened (read-only) \??\p: ozvmxwbq.exe File opened (read-only) \??\o: zheddmnpad.exe File opened (read-only) \??\t: zheddmnpad.exe File opened (read-only) \??\z: zheddmnpad.exe File opened (read-only) \??\w: ozvmxwbq.exe File opened (read-only) \??\o: ozvmxwbq.exe File opened (read-only) \??\i: zheddmnpad.exe File opened (read-only) \??\i: ozvmxwbq.exe File opened (read-only) \??\y: ozvmxwbq.exe File opened (read-only) \??\r: ozvmxwbq.exe File opened (read-only) \??\b: ozvmxwbq.exe File opened (read-only) \??\h: zheddmnpad.exe File opened (read-only) \??\k: zheddmnpad.exe File opened (read-only) \??\r: zheddmnpad.exe File opened (read-only) \??\u: zheddmnpad.exe File opened (read-only) \??\x: zheddmnpad.exe File opened (read-only) \??\r: ozvmxwbq.exe File opened (read-only) \??\t: ozvmxwbq.exe File opened (read-only) \??\g: zheddmnpad.exe File opened (read-only) \??\b: zheddmnpad.exe File opened (read-only) \??\l: zheddmnpad.exe File opened (read-only) \??\q: zheddmnpad.exe -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197" zheddmnpad.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan = "0" zheddmnpad.exe -
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/224-0-0x0000000000400000-0x0000000000496000-memory.dmp autoit_exe behavioral2/files/0x00070000000231f2-6.dat autoit_exe behavioral2/files/0x00080000000231ee-18.dat autoit_exe behavioral2/files/0x00070000000231f3-25.dat autoit_exe behavioral2/files/0x00070000000231f4-31.dat autoit_exe behavioral2/files/0x0003000000000711-67.dat autoit_exe behavioral2/files/0x000400000001da45-73.dat autoit_exe behavioral2/files/0x000c00000001e5c0-99.dat autoit_exe behavioral2/files/0x000c00000001e5c0-107.dat autoit_exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\ozvmxwbq.exe e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\yazcwdejvqjhg.exe e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ozvmxwbq.exe e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\zheddmnpad.exe e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe File created C:\Windows\SysWOW64\yazcwdejvqjhg.exe e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll zheddmnpad.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ozvmxwbq.exe File created C:\Windows\SysWOW64\zheddmnpad.exe e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe File created C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ccmphxjnuqxskhb.exe e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe File created \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ozvmxwbq.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ozvmxwbq.exe File opened for modification \??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc.exe ozvmxwbq.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ozvmxwbq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ozvmxwbq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ozvmxwbq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ozvmxwbq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ozvmxwbq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ozvmxwbq.exe File created \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ozvmxwbq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ozvmxwbq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.nal ozvmxwbq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC.exe ozvmxwbq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ozvmxwbq.exe File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC.exe ozvmxwbq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ozvmxwbq.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.nal ozvmxwbq.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ozvmxwbq.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ozvmxwbq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ozvmxwbq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ozvmxwbq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ozvmxwbq.exe File opened for modification C:\Windows\mydoc.rtf WINWORD.EXE File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ozvmxwbq.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ozvmxwbq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ozvmxwbq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ozvmxwbq.exe File created C:\Windows\~$mydoc.rtf WINWORD.EXE File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ozvmxwbq.exe File opened for modification \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ozvmxwbq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc.exe ozvmxwbq.exe File opened for modification C:\Windows\mydoc.rtf e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_c3bc3dbd94da3c61\MsoIrmProtector.doc.exe ozvmxwbq.exe File opened for modification \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ozvmxwbq.exe File created \??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc.exe ozvmxwbq.exe File created \??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.doc.exe ozvmxwbq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Modifies registry class 20 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com2 = "6ACDFACEF960F29983783A3286EA39E6B38A038A4260023AE1C542E808A8" e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com3 = "2FC4B020449339EF52BDB9D532E8D4BC" e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc\ = "txtfile" zheddmnpad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" zheddmnpad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" zheddmnpad.exe Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe Key created \REGISTRY\MACHINE\Software\Classes\CLV.Classes e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com1 = "32302C0B9C2C83206A4176DD70512DDE7D8F64DD" e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "txtfile" zheddmnpad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg zheddmnpad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\Com4 = "7FF8FFF94F2A85129046D7587D90BDE7E634584667366336D7EA" e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom1 = "E78468B0FE6922A9D17AD1D58A7A9162" e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLV.Classes\StartCom2 = "1939C60814E1DBB1B9CD7FE0ECE437C8" e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsh zheddmnpad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsf zheddmnpad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs zheddmnpad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bat zheddmnpad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" zheddmnpad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "txtfile" zheddmnpad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wsc zheddmnpad.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1084 WINWORD.EXE 1084 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 4556 zheddmnpad.exe 4556 zheddmnpad.exe 4556 zheddmnpad.exe 4556 zheddmnpad.exe 4556 zheddmnpad.exe 4556 zheddmnpad.exe 4556 zheddmnpad.exe 4556 zheddmnpad.exe 4556 zheddmnpad.exe 4556 zheddmnpad.exe 2056 ozvmxwbq.exe 2056 ozvmxwbq.exe 2056 ozvmxwbq.exe 2056 ozvmxwbq.exe 2056 ozvmxwbq.exe 2056 ozvmxwbq.exe 2056 ozvmxwbq.exe 2056 ozvmxwbq.exe 3740 ccmphxjnuqxskhb.exe 3740 ccmphxjnuqxskhb.exe 3740 ccmphxjnuqxskhb.exe 3740 ccmphxjnuqxskhb.exe 3740 ccmphxjnuqxskhb.exe 3740 ccmphxjnuqxskhb.exe 3740 ccmphxjnuqxskhb.exe 3740 ccmphxjnuqxskhb.exe 4928 yazcwdejvqjhg.exe 4928 yazcwdejvqjhg.exe 4928 yazcwdejvqjhg.exe 4928 yazcwdejvqjhg.exe 4928 yazcwdejvqjhg.exe 4928 yazcwdejvqjhg.exe 4928 yazcwdejvqjhg.exe 4928 yazcwdejvqjhg.exe 4928 yazcwdejvqjhg.exe 4928 yazcwdejvqjhg.exe 4928 yazcwdejvqjhg.exe 4928 yazcwdejvqjhg.exe 4496 ozvmxwbq.exe 4496 ozvmxwbq.exe 4496 ozvmxwbq.exe 4496 ozvmxwbq.exe 4496 ozvmxwbq.exe 4496 ozvmxwbq.exe 4496 ozvmxwbq.exe 4496 ozvmxwbq.exe 3740 ccmphxjnuqxskhb.exe 3740 ccmphxjnuqxskhb.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 4556 zheddmnpad.exe 4556 zheddmnpad.exe 4556 zheddmnpad.exe 2056 ozvmxwbq.exe 2056 ozvmxwbq.exe 2056 ozvmxwbq.exe 3740 ccmphxjnuqxskhb.exe 4928 yazcwdejvqjhg.exe 3740 ccmphxjnuqxskhb.exe 4928 yazcwdejvqjhg.exe 3740 ccmphxjnuqxskhb.exe 4928 yazcwdejvqjhg.exe 4496 ozvmxwbq.exe 4496 ozvmxwbq.exe 4496 ozvmxwbq.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 4556 zheddmnpad.exe 4556 zheddmnpad.exe 4556 zheddmnpad.exe 2056 ozvmxwbq.exe 2056 ozvmxwbq.exe 2056 ozvmxwbq.exe 3740 ccmphxjnuqxskhb.exe 4928 yazcwdejvqjhg.exe 3740 ccmphxjnuqxskhb.exe 4928 yazcwdejvqjhg.exe 3740 ccmphxjnuqxskhb.exe 4928 yazcwdejvqjhg.exe 4496 ozvmxwbq.exe 4496 ozvmxwbq.exe 4496 ozvmxwbq.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1084 WINWORD.EXE 1084 WINWORD.EXE 1084 WINWORD.EXE 1084 WINWORD.EXE 1084 WINWORD.EXE 1084 WINWORD.EXE 1084 WINWORD.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 224 wrote to memory of 4556 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 86 PID 224 wrote to memory of 4556 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 86 PID 224 wrote to memory of 4556 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 86 PID 224 wrote to memory of 3740 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 87 PID 224 wrote to memory of 3740 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 87 PID 224 wrote to memory of 3740 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 87 PID 224 wrote to memory of 2056 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 88 PID 224 wrote to memory of 2056 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 88 PID 224 wrote to memory of 2056 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 88 PID 224 wrote to memory of 4928 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 89 PID 224 wrote to memory of 4928 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 89 PID 224 wrote to memory of 4928 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 89 PID 224 wrote to memory of 1084 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 90 PID 224 wrote to memory of 1084 224 e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe 90 PID 4556 wrote to memory of 4496 4556 zheddmnpad.exe 92 PID 4556 wrote to memory of 4496 4556 zheddmnpad.exe 92 PID 4556 wrote to memory of 4496 4556 zheddmnpad.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2cc01f9e278119400e4894f1c7262fa_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\zheddmnpad.exezheddmnpad.exe2⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\ozvmxwbq.exeC:\Windows\system32\ozvmxwbq.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4496
-
-
-
C:\Windows\SysWOW64\ccmphxjnuqxskhb.execcmphxjnuqxskhb.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3740
-
-
C:\Windows\SysWOW64\ozvmxwbq.exeozvmxwbq.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2056
-
-
C:\Windows\SysWOW64\yazcwdejvqjhg.exeyazcwdejvqjhg.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4928
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\mydoc.rtf" /o ""2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1084
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD592b8da49db17d7be0f63e54a455a1391
SHA18501f386858bfc9556a528a17921dbe8bb754c6d
SHA2562c44252e9c241c07a52da4b940dcb3d541fba2e6851907a00a10f9cc2b97b88a
SHA512572dcce13fcb80365cb528640ef02b84ebe43221ec969874f4b3008a60103d867a6903f3441724b405ec41030799f196dd136a4bbc4ff15c1ebe04a9284093f3
-
Filesize
512KB
MD5a594c70919cdcda61b97fa59d320f767
SHA1af89006937330e9487cb648f0202d7bf9d102b72
SHA2563df30aefa0e6cc89b8acb53d2abeed46b20be1a31d4b9897011a377dc3d3b83d
SHA512b8191372745dfe9ae8f80a59e3821dd6936e01041b2316db8bd035711e1ac9746c6586d362630d6d13582e5c86fd48f8329f987e31e5fa8df58e91fa7a476ffb
-
Filesize
239B
MD512b138a5a40ffb88d1850866bf2959cd
SHA157001ba2de61329118440de3e9f8a81074cb28a2
SHA2569def83813762ad0c5f6fdd68707d43b7ccd26633b2123254272180d76bc3faaf
SHA5129f69865a791d09dec41df24d68ad2ab8292d1b5beeca8324ba02feba71a66f1ca4bb44954e760c0037c8db1ac00d71581cab4c77acbc3fb741940b17ccc444eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5fc157baa537015a38b9e29ee3bc770d6
SHA1e2d35e841b852229ee0d2f006b1cda73b48d8b50
SHA25651e5fc5824aaba1d8483930cbc7a6bdb7ca628c2fa29c5701281fea21b71e253
SHA512864c1ebdccb87a3cc697f21b80bbd83a4932fe5f72350d88ca0b2a56f05af1b3511091351cd3205ff41109189854c89e36f322d07f85ae4cf64374be1550e73d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5fed9a545e591b9901eefac72cb516652
SHA10263c21e5d071c68052b78cc0846a1be958905ee
SHA256a3c28a6d57a734d2618a827235243b7ac7c365e29dec0cb9d589b397738251b9
SHA5125fee5b3b65e890513384119786e98289707f2864196f15039207bed86d03f454eb8bf58cb3a8e063cde4410cdb2493dc98dc2b78d2b2a46018ef1fb202cf763f
-
Filesize
512KB
MD56f0ecef5026e43a63d213d08684bc0dd
SHA117bff1fd46450314acfc5e4dd1f4c7e7715933e0
SHA256dde597fecc2f728857f811dd1eae9026268211f85be088a6d6bdc7b63be12fb5
SHA512f229c866688172036f6a84adf483f6aa524bfaab7211611ce1aab49fa6eaf010f243b173370244e5975acc5f96aa3698b432bb46347f215ea4985031939f908a
-
Filesize
512KB
MD50db8095f8e91b69ede1be5cabee96437
SHA15134370084ce33857973b29122ea85e0be8062c9
SHA256ecb25ce00b7b530788ae2ff6908fc53c117f6275067fa25dc476391414ef6562
SHA5128d47976287b5c8fe4ffbf7658843c72d148ae769a3a0bffccf9a6be8e265d9613eb25024d66f0403f13de18b6bb7407caf0d69fcf9734eaceaf2111dfc6ecec2
-
Filesize
512KB
MD5e741e32217e2015bcf45bf664f24b943
SHA19e5ddf1da0c3e7d7bfaadd1475272c5d570a6490
SHA256cacab44a827090f6f91d9eec7a02d2bbb43bf5be8fce562f54049ad5a4de39fa
SHA5127d4a7dee4d6afda3baf4a8e652d7ce47953cf05569299bf545bf03a5d78e96be2f9dbcdda9c326430efee9bcdae3e68c737f66eee6c820820fb75f307df8334e
-
Filesize
512KB
MD5fa0278293033bd22b67ce25e6b669023
SHA12f81c3b1d1a1da3e11143a3540bd08474f25a649
SHA2566a03ff8b0e2b2f3f6191c8c03779db94bf8d18a52a0537309447fa1d16c98980
SHA51227157f91140b9ffb84059685e631269664fe860e928d1b47c12070dddf4919fba8f58f36344063865bc176a5339eed857bfc9f6c3403c4e472700d1aeb934c2a
-
Filesize
223B
MD506604e5941c126e2e7be02c5cd9f62ec
SHA14eb9fdf8ff4e1e539236002bd363b82c8f8930e1
SHA25685f2405d1f67021a3206faa26f6887932fea71aea070df3efb2902902e2d03e2
SHA512803f5f2fddbf29fef34de184eb35c2311b7a694740983ca10b54ef252dd26cda4987458d2569f441c6dedc3478bea12b45bfd3566f1b256504a0869ad3829df7
-
Filesize
512KB
MD571c8efe3bee2db633e9e9a32009bf1e2
SHA1d95668e7b13c71e669a5939ac73d034c7695e1d1
SHA256f1a2a281274a71d125697935362de61d1004853185b9befe8631c6cf9506c194
SHA512fe7778acd4514ceceaed434d5bad970cdb7163d2bd0ef5df2f511d0fdfcb1cd5aa243100031707a540d0d604a43b2588f5d4d9094dcf539a883d51ee623bb3f1
-
Filesize
512KB
MD5e4bffcbb3c8d40fe7a1dfe176ed712ed
SHA193171aae82cbc83e7aa5310fbf36eb2cb06a92c9
SHA256b0cdb1fb12445c8df73aeac88749b38271c43080ac6e35edf982e0e7b6cfe978
SHA512114791810667508fb79d9da649916e85ebdef86470b014618bd9558397b9e9eccb631210ffd8ddb56590c49cf36ae140bf4b565fdd0dc44bb5cc5f101d92181d